Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CVE-2022-41915
Summary
Netty project is an event-driven asynchronous network application framework. In affected versions, when calling `DefaultHttpHeadesr.set` with an `_iterator_` of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values. This issue affects io.netty:netty-codec versions 4.1.83.Final through 4.1.85.Final and io.netty:netty5-codec version 5.0.0.Alpha5.
- LOW
- NETWORK
- LOW
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
The software receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
Advisory Timeline
- Published
